In a recent conversation with Theo Zafirakos, Chief Information Security Officer (CISO), and Professional Services Lead at Fortra’s Terranova Security and Jim Love, Chief Information Officer (CIO) of IT World Canada, delved into the nuances of building a culture of data security. This article provides a sneak peek into the critical role of culture in cybersecurity programs.
The importance of cyber culture
Terranova Security recently conducted two studies, in collaboration with Canadian research firm Ipsos and Microsoft, which shed light on the significance of cybersecurity culture. Their first study, “Moving From Data Protection to CyberCulture,” sparked a conversation about the role of culture in cybersecurity. It underscored that cybersecurity culture encompasses attitudes, perceptions, behaviors, and feelings individuals hold towards cybersecurity in our society.
“In any aspect of our society, culture typically starts either at home or what we learn from our parents, at school and the education we receive, or the government services provided to citizens,” Zafirakos said. “As we all know, the cybersecurity culture doesn’t exist to its required capacity in those areas.”
Cybersecurity culture should prioritize the best practices and protection of sensitive personal information assets within organizations. It’s more than mere compliance; it’s about fostering a culture of knowledge and security awareness across the organization.
The risks of ignoring cybersecurity culture
Love and Zafirakos also delved into the risks associated with neglecting cybersecurity culture. Notably, failing to cultivate a robust culture can leave organizations ill-prepared for evolving cyber threats.
“Cybercriminals have moved from targeting the machine to targeting the human,” Zafirakos said. “We see a lot of evolution in the way attacks are generated, created or even conducted. Artificial intelligence is also going to contribute to more sophisticated and error-proof attacks and scenarios.”
Moreover, the increasing reliance on cloud services and external partners adds complexity to the cybersecurity landscape. Cyberattacks are growing in complexity and frequency, often exploiting current events, technology trends, and popular brands to launch social engineering attacks.
The role of social engineering and phishing
While social engineering, including phishing, is a critical area where culture plays a pivotal role, it’s not the sole focus. While 90 per cent of data breaches and cyberattacks result from phishing, employees sometimes bypass cybersecurity controls to achieve work objectives, despite being aware of the rules and policies. This is analogous to individuals wearing seatbelts not solely because they believe it will save their lives but to avoid a ticket. Such behavior stems from a lack of full comprehension of the risks and consequences.
Unlock the full conversation by watching the video series and gain the knowledge needed to strengthen your organization’s cybersecurity culture.